Protecting license Validation [closed]

Question

I have implemented an C# assembly which validates the license for the application. The problem is about shipping this to the client they can easily find out the keys we're using to encrypt the string.

Signing

Signing the application is a bit painful because several components being used aren't signed and per-compiled. So we have to manually disassemble and assemble again with snk file. The assembly loading is kind of chain reaction. I want to clarify the signing is required only for the immediate assemblies being loaded? The assemblies loaded further from these satellite assemblies also required be to signed?

Obfuscation

The community edition isn't really obfuscating the strings. the code is fundamentally visible. Should I go for a professional edition?

I am quite new to this. Please help.

Answer 1

I would like to point out one issue which I am sure you are aware of when trying to protect your software. Since the computer that will run the application must be able to "see" all the code and data that you use there will always be some way for other people to reverse engineer your application. All of the keys and secrets used to protect your software will be available within the data and assemblies that are shipped...

Signing

Signing (strong naming) is used to stop other developers from replacing your critical assembly, the license validation, with one that they control which would allow them to bypass your protection. All assemblies that are to be loaded by a strong named assembly must themselves be strong named. The reasoning for this is that otherwise someone else could replace one of the secondary dependencies (a non strong named assembly further down the chain) with a new implementation that actually sabotages the functionality of the license validation.

Yes you must strong name all assemblies further down the chain. I know from experience that this can be a pain since many free libraries are not distributed as strong named assemblies. In many cases you can get around this using Ilmerge to merge two DLLs then strong name the resulting combined dll. See an example ilmerge call here.

Obfuscation

There are free obfuscation tools available that do obfuscate strings properly otherwise yes you must go for a higher level of most paid-for obfuscation tools. The tool I personally like is Eazfuscator it is full featured and free. Eazfuscator also supports merging assemblies and strong naming them in addition to obfuscation.

License validation comment

Implementing license validation yourself is a pain and error prone. I would recommend you look at other alternatives, either not doing license validation at all since it adds a level of maintenance and complexity to your software which may not actually offer any financial benefits. Or to look at ready-made license implementations such as this small selection (in order of initial price):

• https://github.com/ayende/rhino-licensing (free/open source)
• http://www.simplesoftwarelicensing.com/pricing/hobbyist-edition/ (free)
• http://www.simplesoftwarelicensing.com/ (from 39 USD)
• http://www.ssware.com/cryptolicensing/cryptolicensing_net.htm (from 149 USD)
• http://www.infralution.com/licensing.html (from 170 USD)
• http://ellipter.com/ (from 249 USD)
• http://desaware.com/products/licensingsystem/index.aspx (from 1495 USD)
• http://www.crypkey.com/products/instant.php (from 1895 USD)

This is just a small selection of what is available, searching the web will provide many, many ready-made solutions.

Disclaimer: I developed the "Simple Software Licensing" product above as part of a new years programming challenge at Donationcoder.